Research suggests the average cost of penetration testing is $200 per hour, as of April 2010. Most forum posts, which are really RFI’s and RFP’s, ask the wrong question. People ask in general how much a pen test costs and the answer is always, it depends. Finally, several individuals broke the costs down to show the price comes out to around $200 per hour in the United States. Sometimes this does not include a reporting fee, but like anything in the business, it depends on how the contract is written and what the deliverable are.
If someone were to use this $200 p/h fee and apply it to a military or civilian agency pen test, the price would be astronomical. The actual attack time would be $28,800 for 12 hour days, six days a week for two weeks. This doesn’t include travel costs, per diem and logistics, and this is for one pen tester!
James DeLuccia IV wrote a good blog post on pen tester evaluation back in 2006. He states in the conclusion good pen testers’ use automated pen testing products, like Core Impact, about 10% of the time. They develop impromptu based on findings to create a true pen test environment. This requires an extreme devotion to the profession and in our opinion a job which also requires it to be the professional’s hobby.
The costs associated with this profession are relatively high. Tools like Core Impact are pricey, yet there are alternatives such as Metasploit. A search of any technical penetration test related literature from online retailers, like Amazon, reveals the high costs associated for knowledge. Most of the information found in pen testing books can be found online for free, it just takes time and a willingness to find it.
